gh0strat | 7854d2a4eee142a4382472dfe90a063eb41ff1957e3186dedc146b070831e06f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe
Size

224KB
MD5

3b9d1a2900223810cc0168c0ebec303c
SHA1

f2856930c0590a6fddc76b1eb520473bb31c34e3
SHA256

7854d2a4eee142a4382472dfe90a063eb41ff1957e3186dedc146b070831e06f
SHA512

7fcb2b40b0b4d19aa8750cc2bea364d63828960052ee9f16517f9dba399c502571ca09d8215f43f4892760c596be997d28c51cdc2ec121bc53ea993c7c23af10
SSDEEP

6144:msOZtaqC2RShTSUd2SHZI+regn4ksb1LhK:MZtaqkNSUYSHZI+regn4kKs

Score

10^/10

gh0strat defense_evasion discovery persistence rat trojan

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/memory/4500-26-0x0000000001200000-0x0000000001225000-memory.dmp	family_gh0strat
behavioral2/memory/1688-29-0x0000000000CF0000-0x0000000000D15000-memory.dmp	family_gh0strat
behavioral2/memory/4500-30-0x0000000001200000-0x0000000001225000-memory.dmp	family_gh0strat
behavioral2/memory/1688-31-0x0000000000CF0000-0x0000000000D15000-memory.dmp	family_gh0strat
behavioral2/memory/4500-34-0x0000000001200000-0x0000000001225000-memory.dmp	family_gh0strat
behavioral2/memory/1688-35-0x0000000000CF0000-0x0000000000D15000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

UAC bypass 3 TTPs 3 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	rundll32.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WMc3fJ5h\Parameters\ServiceDll = "C:\\Windows\\system32\\Bgf0qq.pic"	XMP.exe

Deletes itself 1 IoCs

pid	Process
1688	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
4724	XMP.exe

Loads dropped DLL 7 IoCs

pid	Process
3684	JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe
3684	JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe
3684	JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe
4500	svchost.exe
4500	svchost.exe
1688	rundll32.exe
1688	rundll32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\systemwin.log	XMP.exe
File created	C:\Windows\SysWOW64\Bgf0qq.pic	XMP.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Thunder Network\XMP.exe	JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe
File created	C:\Program Files (x86)\Thunder Network\Program\mp.dll	JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe
File opened for modification	C:\PROGRA~2\THUNDE~1\XMP.exe	XMP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XMP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4724	XMP.exe
4724	XMP.exe
4724	XMP.exe
4724	XMP.exe
4724	XMP.exe
4724	XMP.exe
4724	XMP.exe
4724	XMP.exe
4724	XMP.exe
4724	XMP.exe
4724	XMP.exe
4724	XMP.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	4724	XMP.exe
Token: SeRestorePrivilege	4724	XMP.exe
Token: SeDebugPrivilege	4500	svchost.exe
Token: SeDebugPrivilege	1688	rundll32.exe
Token: SeBackupPrivilege	1688	rundll32.exe
Token: SeSecurityPrivilege	1688	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 4724	3684	JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe	83
PID 3684 wrote to memory of 4724	3684	JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe	83
PID 3684 wrote to memory of 4724	3684	JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe	83
PID 4724 wrote to memory of 1392	4724	XMP.exe	85
PID 4724 wrote to memory of 1392	4724	XMP.exe	85
PID 4724 wrote to memory of 1392	4724	XMP.exe	85
PID 4500 wrote to memory of 1688	4500	svchost.exe	87
PID 4500 wrote to memory of 1688	4500	svchost.exe	87
PID 4500 wrote to memory of 1688	4500	svchost.exe	87

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Program Files (x86)\Thunder Network\XMP.exe
  "C:\Program Files (x86)\Thunder Network\XMP.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\PROGRA~2\THUNDE~1\XMP.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k WMc3fJ5h
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\bgf0qq.pic,CreateExaminePage WMc3fJ5h
  2⤵
  - UAC bypass
  - Deletes itself
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Thunder Network\XMP.exe

Filesize
333KB

MD5
97405665bbdf4fbb45b080aa89791e69

SHA1
e5a7c19c1caf98b42fe664983105b60197883c75

SHA256
9e8fc4389e6e9849cb2a25131034e2452bbf62dc39d22aad7f304ff6be9b3bb6

SHA512
e600e347662b05b128cf1ac0bcc8ba3aa536cc2e5506d3e793862d625fcc4dcbc941e6d1ed9b4480b0ee799a798852ec2c616698adbacfce27994b72a6fe200b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu9E84.tmp\Banner.dll

Filesize
4KB

MD5
0116a50101c4107a138a588d1e46fca5

SHA1
b781dce23e828cf2b97306661c7dad250a6aaf77

SHA256
ab80cf45070d936f0745f5e39b22e6e07ba90aa179b5ec4469ef6e2cb1b9ef6b

SHA512
55de6aeaad05b01a25828553d3ea9f1b32a8b0c35c42dc6106bed244320e3421ec6a6f5359b15f9d18dd1e9692ca5572b2736d9d48cceb07b9443601d00a5988

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu9E84.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1688-29-0x0000000000CF0000-0x0000000000D15000-memory.dmp

Filesize
148KB

Download
memory/1688-31-0x0000000000CF0000-0x0000000000D15000-memory.dmp

Filesize
148KB

Download
memory/1688-35-0x0000000000CF0000-0x0000000000D15000-memory.dmp

Filesize
148KB

Download
memory/4500-26-0x0000000001200000-0x0000000001225000-memory.dmp

Filesize
148KB

Download
memory/4500-30-0x0000000001200000-0x0000000001225000-memory.dmp

Filesize
148KB

Download
memory/4500-34-0x0000000001200000-0x0000000001225000-memory.dmp

Filesize
148KB

Download